From: aranea@aixah.de (Luis Ressel) Date: Mon, 11 Sep 2017 05:18:27 +0200 Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases Message-ID: <20170911031829.4163-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This change also grants exim (the other caller of the mta_read_aliases interface) to map the mail aliases, but that seems minor enough not to warrant the creation of a new interface. --- mta.if | 2 +- postfix.te | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/mta.if b/mta.if index 2b99dd5..8565982 100644 --- a/mta.if +++ b/mta.if @@ -586,7 +586,7 @@ interface(`mta_read_aliases',` ') files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; + allow $1 etc_aliases_t:file { read_file_perms map }; ') ######################################## diff --git a/postfix.te b/postfix.te index 84e0b5e..eb4af6c 100644 --- a/postfix.te +++ b/postfix.te @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms; allow postfix_domain self:unix_stream_socket { accept connectto listen }; allow postfix_domain postfix_etc_t:dir list_dir_perms; -allow postfix_domain postfix_etc_t:file read_file_perms; +allow postfix_domain postfix_etc_t:file { read_file_perms map }; allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; allow postfix_domain postfix_master_t:file read_file_perms; @@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid }; allow postfix_map_t self:tcp_socket { accept listen }; allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -allow postfix_map_t postfix_etc_t:file manage_file_perms; +allow postfix_map_t postfix_etc_t:file { manage_file_perms map }; allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -- 2.14.1